Friday, February 6, 2015

vsx_tool undocumented feature surfaces on the latest Check Point management

Apparently, latest versions of vsx_util binary have new undocumented option: downgrade.

As you may know, vsx_util is a management tool used for maintenance of VSX systems. It allows administrators to perform multiple advanced operations that are unavailable from SmartDashboard GUI client, such as changing clustering mode, adjusting VSLS distribution, setting a different "funny IP" addresses on the modules, etc.

It is also used to upgrade the management definitions of VSX object, with vsx_util upgrade. In this case the tool changes VSX object's version and makes changes in the parameters of the object. This option is routinely used to upgrade VSX systems. GWs are just re-installed with the new version, then vsx_util upgrade takes care of MGMT side changes and calls for vsx_util reconfigure procedure to push config to the newly installed VSX cluster members.

As it seems today, vsx_util downgrade does exactly the opposite. Mind this feature is not documented and hence not supported. Using it (assuming it will be supported soon) will allow faster and safer roll-back procedures in case of upgrade failure.

Thanks to my old friend and a brilliant Check Point expert Jason Card for reporting this information to me.

No comments:

Post a Comment